envsec 0.1.5 → 0.1.7

package/README.md

@@ -1,10 +1,11 @@
 # secenv
 
-Secure environment secrets management for macOS using the native Keychain.
+Secure environment secrets management using native OS credential stores.
 
 ## Features
 
-- Store secrets in macOS Keychain (not plain text files)
+- Store secrets in your OS native credential store (not plain text files)
+- Cross-platform: macOS, Linux, Windows
 - Organize secrets by environment (dev, staging, prod, etc.)
 - Track secret types (string, number, boolean) and metadata via SQLite
 - Search secrets with glob patterns
@@ -13,9 +14,33 @@ Secure environment secrets management for macOS using the native Keychain.
 
 ## Requirements
 
-- macOS
 - Node.js >= 18
 
+### macOS
+
+No extra dependencies. Uses the built-in Keychain via the `security` CLI tool.
+
+### Linux
+
+Requires `libsecret-tools` (provides the `secret-tool` command), which talks to GNOME Keyring, KDE Wallet, or any Secret Service API provider via D-Bus.
+
+```bash
+# Debian / Ubuntu
+sudo apt install libsecret-tools
+
+# Fedora
+sudo dnf install libsecret
+
+# Arch
+sudo pacman -S libsecret
+```
+
+A running D-Bus session and a keyring daemon (e.g. `gnome-keyring-daemon`) must be active. Most desktop environments handle this automatically.
+
+### Windows
+
+No extra dependencies. Uses the built-in Windows Credential Manager via `cmdkey` and PowerShell.
+
 ## Installation
 
 ```bash
@@ -94,7 +119,15 @@ secenv -e dev del api.key
 
 ## How it works
 
-Secrets are stored in the macOS Keychain using the `security` command-line tool. Metadata (key names, types, timestamps) is kept in a SQLite database at `~/.secenv/store.sqlite`. Keys must contain at least one dot separator (e.g., `service.account`) which maps to the Keychain service/account structure.
+Secrets are stored in the native OS credential store. The backend is selected automatically based on the platform:
+
+| OS      | Backend                        | Tool / API                          |
+|---------|--------------------------------|-------------------------------------|
+| macOS   | Keychain                       | `security` CLI                      |
+| Linux   | Secret Service API (D-Bus)     | `secret-tool` (libsecret)           |
+| Windows | Credential Manager             | `cmdkey` + PowerShell (advapi32)    |
+
+Metadata (key names, types, timestamps) is kept in a SQLite database at `~/.secenv/store.sqlite`. Keys must contain at least one dot separator (e.g., `service.account`) which maps to the credential store's service/account structure.
 
 ## License
 

package/dist/cli/load.js

@@ -0,0 +1,49 @@
+import { Command, Options } from "@effect/cli";
+import { Effect, Console } from "effect";
+import { SecretStore } from "../services/SecretStore.js";
+import { rootCommand } from "./root.js";
+import { readFileSync } from "node:fs";
+const input = Options.text("input").pipe(Options.withAlias("i"), Options.withDescription("Input .env file path (default: .env)"), Options.withDefault(".env"));
+const force = Options.boolean("force").pipe(Options.withAlias("f"), Options.withDescription("Overwrite existing secrets without prompting"));
+const parseLine = (line) => {
+    const trimmed = line.trim();
+    if (trimmed === "" || trimmed.startsWith("#"))
+        return null;
+    const eqIndex = trimmed.indexOf("=");
+    if (eqIndex === -1)
+        return null;
+    const key = trimmed.slice(0, eqIndex).trim();
+    const value = trimmed.slice(eqIndex + 1).trim().replace(/^["']|["']$/g, "");
+    return { key, value };
+};
+export const loadCommand = Command.make("load", { input, force }, ({ input, force }) => Effect.gen(function* () {
+    const { env } = yield* rootCommand;
+    const content = yield* Effect.try({
+        try: () => readFileSync(input, "utf-8"),
+        catch: () => new Error(`Cannot read file: ${input}`),
+    });
+    const lines = content.split("\n");
+    let added = 0;
+    let skipped = 0;
+    let overwritten = 0;
+    for (const line of lines) {
+        const parsed = parseLine(line);
+        if (!parsed)
+            continue;
+        const secretKey = parsed.key.toLowerCase().replaceAll("_", ".");
+        const exists = yield* SecretStore.list(env).pipe(Effect.map((items) => items.some((item) => item.key === secretKey)));
+        if (exists && !force) {
+            yield* Console.log(`⚠ Skipped "${secretKey}": already exists (use --force to overwrite)`);
+            skipped++;
+            continue;
+        }
+        if (exists) {
+            overwritten++;
+        }
+        else {
+            added++;
+        }
+        yield* SecretStore.set(env, secretKey, parsed.value, "string");
+    }
+    yield* Effect.log(`Done: ${added} added, ${overwritten} overwritten, ${skipped} skipped`);
+}));

package/dist/cli/run.js

@@ -18,7 +18,10 @@ export const runCommand = Command.make("run", { cmd }, ({ cmd }) => Effect.gen(f
         yield* Effect.log(`Resolved ${placeholders.length} secret(s)`);
     }
     try {
-        execSync(resolved, { stdio: "inherit", shell: "/bin/bash" });
+        execSync(resolved, {
+            stdio: "inherit",
+            shell: process.platform === "win32" ? "cmd.exe" : "/bin/sh",
+        });
     }
     catch (e) {
         yield* Effect.fail(new Error(`Command exited with code ${e.status ?? 1}`));

package/dist/implementations/LinuxSecretServiceAccess.js

@@ -0,0 +1,96 @@
+import { execFile } from "node:child_process";
+import { Effect, Layer } from "effect";
+import { KeychainAccess } from "../services/KeychainAccess.js";
+import { KeychainError, SecretNotFoundError } from "../errors.js";
+/**
+ * Linux implementation using `secret-tool` (libsecret).
+ *
+ * Stores secrets via the freedesktop.org Secret Service API (D-Bus),
+ * backed by GNOME Keyring, KDE Wallet, or any compatible provider.
+ *
+ * Requires: `libsecret-tools` package
+ *   - Debian/Ubuntu: sudo apt install libsecret-tools
+ *   - Fedora:        sudo dnf install libsecret
+ *   - Arch:          sudo pacman -S libsecret
+ */
+const run = (args, stdin) => Effect.async((resume) => {
+    const child = execFile("secret-tool", args, (error, stdout, stderr) => {
+        if (error && error.code === "ENOENT") {
+            resume(Effect.fail(new KeychainError({
+                command: args[0] ?? "unknown",
+                stderr: "secret-tool not found. Install libsecret-tools.",
+                message: "secret-tool is not installed. Install it with your package manager (e.g. apt install libsecret-tools).",
+            })));
+            return;
+        }
+        resume(Effect.succeed({
+            exitCode: error ? error.code ?? 1 : 0,
+            stdout,
+            stderr,
+        }));
+    });
+    // secret-tool store reads the password from stdin
+    if (stdin !== undefined) {
+        child.stdin?.write(stdin);
+        child.stdin?.end();
+    }
+});
+const make = KeychainAccess.of({
+    set: Effect.fn("LinuxSecretServiceAccess.set")(function* (service, account, password) {
+        // secret-tool store --label="<label>" <attribute> <value> ...
+        // Password is read from stdin
+        const result = yield* run([
+            "store",
+            "--label",
+            `secenv:${service}/${account}`,
+            "service",
+            service,
+            "account",
+            account,
+        ], password);
+        if (result.exitCode !== 0) {
+            return yield* new KeychainError({
+                command: "store",
+                stderr: result.stderr,
+                message: `Failed to store secret: ${service}/${account}`,
+            });
+        }
+    }),
+    get: Effect.fn("LinuxSecretServiceAccess.get")(function* (service, account) {
+        // secret-tool lookup <attribute> <value> ...
+        const result = yield* run([
+            "lookup",
+            "service",
+            service,
+            "account",
+            account,
+        ]);
+        // secret-tool returns exit 0 with empty stdout when not found
+        if (result.exitCode !== 0 || result.stdout === "") {
+            return yield* new SecretNotFoundError({
+                key: account,
+                env: service,
+                message: `Secret not found: ${service}/${account}`,
+            });
+        }
+        return result.stdout.trimEnd();
+    }),
+    remove: Effect.fn("LinuxSecretServiceAccess.remove")(function* (service, account) {
+        // secret-tool clear <attribute> <value> ...
+        const result = yield* run([
+            "clear",
+            "service",
+            service,
+            "account",
+            account,
+        ]);
+        if (result.exitCode !== 0) {
+            return yield* new KeychainError({
+                command: "clear",
+                stderr: result.stderr,
+                message: `Failed to remove secret: ${service}/${account}`,
+            });
+        }
+    }),
+});
+export const LinuxSecretServiceAccessLive = Layer.succeed(KeychainAccess, make);

package/dist/implementations/PlatformKeychainAccess.js

@@ -0,0 +1,23 @@
+import { platform } from "node:os";
+import { MacOsKeychainAccessLive } from "./MacOsKeychainAccess.js";
+import { LinuxSecretServiceAccessLive } from "./LinuxSecretServiceAccess.js";
+import { WindowsCredentialManagerAccessLive } from "./WindowsCredentialManagerAccess.js";
+/**
+ * Auto-detects the current OS and provides the appropriate KeychainAccess layer.
+ *
+ * - macOS:   uses `security` CLI (Keychain)
+ * - Linux:   uses `secret-tool` (libsecret / Secret Service API)
+ * - Windows: uses PowerShell + Credential Manager (advapi32 CredRead/cmdkey)
+ */
+export const PlatformKeychainAccessLive = (() => {
+    switch (platform()) {
+        case "darwin":
+            return MacOsKeychainAccessLive;
+        case "linux":
+            return LinuxSecretServiceAccessLive;
+        case "win32":
+            return WindowsCredentialManagerAccessLive;
+        default:
+            throw new Error(`Unsupported platform: ${platform()}. Supported: macOS, Linux, Windows.`);
+    }
+})();

package/dist/implementations/WindowsCredentialManagerAccess.js

@@ -0,0 +1,118 @@
+import { execFile } from "node:child_process";
+import { Effect, Layer } from "effect";
+import { KeychainAccess } from "../services/KeychainAccess.js";
+import { KeychainError, SecretNotFoundError } from "../errors.js";
+/**
+ * Windows implementation using PowerShell + Windows Credential Manager.
+ *
+ * Uses the built-in `cmdkey` for basic operations and PowerShell's
+ * `System.Net.NetworkCredential` / `CredentialManager` for read/write.
+ *
+ * No extra dependencies required — uses only built-in Windows APIs via PowerShell.
+ *
+ * Credential target format: "secenv:<service>/<account>"
+ */
+const runPowerShell = (script) => Effect.async((resume) => {
+    execFile("powershell.exe", [
+        "-NoProfile",
+        "-NonInteractive",
+        "-Command",
+        script,
+    ], (error, stdout, stderr) => {
+        if (error && error.code === "ENOENT") {
+            resume(Effect.fail(new KeychainError({
+                command: "powershell",
+                stderr: "powershell.exe not found",
+                message: "PowerShell is not available. Ensure you are running on Windows.",
+            })));
+            return;
+        }
+        resume(Effect.succeed({
+            exitCode: error ? error.code ?? 1 : 0,
+            stdout,
+            stderr,
+        }));
+    });
+});
+const escapePS = (s) => s.replaceAll("'", "''");
+const targetName = (service, account) => `secenv:${service}/${account}`;
+const make = KeychainAccess.of({
+    set: Effect.fn("WindowsCredentialManagerAccess.set")(function* (service, account, password) {
+        const target = escapePS(targetName(service, account));
+        const user = escapePS(account);
+        const pass = escapePS(password);
+        // Use cmdkey for simplicity — it's built-in and handles generic credentials
+        const script = `cmdkey /generic:'${target}' /user:'${user}' /pass:'${pass}'`;
+        const result = yield* runPowerShell(script);
+        if (result.exitCode !== 0) {
+            return yield* new KeychainError({
+                command: "cmdkey /add",
+                stderr: result.stderr || result.stdout,
+                message: `Failed to store credential: ${service}/${account}`,
+            });
+        }
+    }),
+    get: Effect.fn("WindowsCredentialManagerAccess.get")(function* (service, account) {
+        const target = escapePS(targetName(service, account));
+        // Read credential using .NET CredentialManager API via PowerShell
+        // This is the only reliable way to read the password back from Credential Manager
+        const script = [
+            `Add-Type -AssemblyName System.Runtime.InteropServices`,
+            `$cred = [System.Runtime.InteropServices.Marshal]`,
+            `$target = '${target}'`,
+            // Use P/Invoke to call CredReadW
+            `Add-Type @'`,
+            `using System;`,
+            `using System.Runtime.InteropServices;`,
+            `public class CredManager {`,
+            `  [DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]`,
+            `  public static extern bool CredRead(string target, int type, int flags, out IntPtr cred);`,
+            `  [DllImport("advapi32.dll")]`,
+            `  public static extern void CredFree(IntPtr cred);`,
+            `  [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]`,
+            `  public struct CREDENTIAL {`,
+            `    public int Flags; public int Type;`,
+            `    public string TargetName; public string Comment;`,
+            `    public long LastWritten; public int CredentialBlobSize;`,
+            `    public IntPtr CredentialBlob; public int Persist;`,
+            `    public int AttributeCount; public IntPtr Attributes;`,
+            `    public string TargetAlias; public string UserName;`,
+            `  }`,
+            `  public static string Read(string target) {`,
+            `    IntPtr ptr;`,
+            `    if (!CredRead(target, 1, 0, out ptr)) return null;`,
+            `    var c = (CREDENTIAL)Marshal.PtrToStructure(ptr, typeof(CREDENTIAL));`,
+            `    var pw = Marshal.PtrToStringUni(c.CredentialBlob, c.CredentialBlobSize / 2);`,
+            `    CredFree(ptr);`,
+            `    return pw;`,
+            `  }`,
+            `}`,
+            `'@`,
+            `$result = [CredManager]::Read('${target}')`,
+            `if ($result -eq $null) { exit 1 }`,
+            `Write-Output $result`,
+        ].join("\n");
+        const result = yield* runPowerShell(script);
+        if (result.exitCode !== 0) {
+            return yield* new SecretNotFoundError({
+                key: account,
+                env: service,
+                message: `Secret not found: ${service}/${account}`,
+            });
+        }
+        return result.stdout.trim();
+    }),
+    remove: Effect.fn("WindowsCredentialManagerAccess.remove")(function* (service, account) {
+        const target = escapePS(targetName(service, account));
+        const script = `cmdkey /delete:'${target}'`;
+        const result = yield* runPowerShell(script);
+        if (result.exitCode !== 0) {
+            return yield* new KeychainError({
+                command: "cmdkey /delete",
+                stderr: result.stderr || result.stdout,
+                message: `Failed to remove credential: ${service}/${account}`,
+            });
+        }
+    }),
+});
+export const WindowsCredentialManagerAccessLive = Layer.succeed(KeychainAccess, make);

package/dist/main.js

@@ -11,10 +11,11 @@ import { searchCommand } from "./cli/search.js";
 import { listCommand } from "./cli/list.js";
 import { runCommand } from "./cli/run.js";
 import { envFileCommand } from "./cli/env-file.js";
+import { loadCommand } from "./cli/load.js";
 import { SecretStore } from "./services/SecretStore.js";
 const require = createRequire(import.meta.url);
 const pkg = require("../package.json");
-const command = rootCommand.pipe(Command.withSubcommands([addCommand, getCommand, deleteCommand, delCommand, searchCommand, listCommand, runCommand, envFileCommand]));
+const command = rootCommand.pipe(Command.withSubcommands([addCommand, getCommand, deleteCommand, delCommand, searchCommand, listCommand, runCommand, envFileCommand, loadCommand]));
 const cli = Command.run(command, {
     name: "secenv",
     version: pkg.version,

package/dist/services/SecretStore.js

@@ -2,11 +2,11 @@ import { Effect } from "effect";
 import { KeychainAccess } from "./KeychainAccess.js";
 import { MetadataStore } from "./MetadataStore.js";
 import * as SecretKey from "../domain/SecretKey.js";
-import { MacOsKeychainAccessLive } from "../implementations/MacOsKeychainAccess.js";
+import { PlatformKeychainAccessLive } from "../implementations/PlatformKeychainAccess.js";
 import { SqliteMetadataStoreLive } from "../implementations/SqliteMetadataStore.js";
 export class SecretStore extends Effect.Service()("SecretStore", {
     accessors: true,
-    dependencies: [MacOsKeychainAccessLive, SqliteMetadataStoreLive],
+    dependencies: [PlatformKeychainAccessLive, SqliteMetadataStoreLive],
     effect: Effect.gen(function* () {
         const keychain = yield* KeychainAccess;
         const metadata = yield* MetadataStore;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "envsec",
-  "version": "0.1.5",
-  "description": "Secure environment secrets management using macOS Keychain",
+  "version": "0.1.7",
+  "description": "Secure environment secrets management using native OS credential stores",
   "type": "module",
   "bin": {
     "secenv": "./dist/main.js"
@@ -12,9 +12,6 @@
   "engines": {
     "node": ">=18.0.0"
   },
-  "os": [
-    "darwin"
-  ],
   "scripts": {
     "build": "tsc",
     "prepublishOnly": "npm run build"
@@ -23,7 +20,12 @@
     "secrets",
     "environment-variables",
     "keychain",
+    "credential-manager",
+    "libsecret",
+    "cross-platform",
     "macos",
+    "linux",
+    "windows",
     "effect",
     "cli"
   ],